

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>如何配置好 Ceph Kerberos 认证的详细文档 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/underscore.js"></script>
        <script src="../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="CephFS Mirroring" href="../cephfs-mirroring/" />
    <link rel="prev" title="Cache pool" href="../cache-pool/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../internals/">Ceph 内幕</a> &raquo;</li>
        
      <li>如何配置好 Ceph Kerberos 认证的详细文档</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../_sources/dev/ceph_krb_auth.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../">
          

          
            
            <img src="../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../developer_guide/">开发者指南</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../internals/">Ceph 内幕</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../blkin/">Tracing Ceph With LTTng</a></li>
<li class="toctree-l2"><a class="reference internal" href="../blkin/#tracing-ceph-with-blkin">Tracing Ceph With Blkin</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bluestore/">BlueStore Internals</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cache-pool/">Cache pool</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">如何配置好 Ceph Kerberos 认证的详细文档</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id1">背景知识</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id2">开工之前</a></li>
<li class="toctree-l3"><a class="reference internal" href="#ceph">Ceph 这边的配置</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id3">** <em>仅适用于 Ceph 开发者</em> **</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#kerberos">** <em>Kerberos 服务器配置</em> **</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../cephfs-mirroring/">CephFS Mirroring</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cephfs-reclaim/">CephFS Reclaim Interface</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cephfs-snapshots/">CephFS 快照</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cephx/">Cephx</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cephx_protocol/">Cephx 认证协议详细阐述</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config/">配置管理系统</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-key/">config-key layout</a></li>
<li class="toctree-l2"><a class="reference internal" href="../context/">CephContext</a></li>
<li class="toctree-l2"><a class="reference internal" href="../continuous-integration/">Continuous Integration Architecture</a></li>
<li class="toctree-l2"><a class="reference internal" href="../corpus/">资料库结构</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cpu-profiler/">Oprofile 的安装</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cxx/">C++17 and libstdc++ ABI</a></li>
<li class="toctree-l2"><a class="reference internal" href="../deduplication/">去重</a></li>
<li class="toctree-l2"><a class="reference internal" href="../delayed-delete/">CephFS delayed deletion</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dev_cluster_deployement/">开发集群的部署</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dev_cluster_deployement/#id5">在同一机器上部署多套开发集群</a></li>
<li class="toctree-l2"><a class="reference internal" href="../development-workflow/">开发流程</a></li>
<li class="toctree-l2"><a class="reference internal" href="../documenting/">为 Ceph 写作文档</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encoding/">序列化（编码、解码）</a></li>
<li class="toctree-l2"><a class="reference internal" href="../erasure-coded-pool/">纠删码存储池</a></li>
<li class="toctree-l2"><a class="reference internal" href="../file-striping/">File striping</a></li>
<li class="toctree-l2"><a class="reference internal" href="../freebsd/">FreeBSD Implementation details</a></li>
<li class="toctree-l2"><a class="reference internal" href="../generatedocs/">Ceph 文档的构建</a></li>
<li class="toctree-l2"><a class="reference internal" href="../health-reports/">Health Reports</a></li>
<li class="toctree-l2"><a class="reference internal" href="../iana/">IANA 号</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kubernetes/">Hacking on Ceph in Kubernetes with Rook</a></li>
<li class="toctree-l2"><a class="reference internal" href="../libs/">库体系结构</a></li>
<li class="toctree-l2"><a class="reference internal" href="../logging/">集群日志的用法</a></li>
<li class="toctree-l2"><a class="reference internal" href="../logs/">调试日志</a></li>
<li class="toctree-l2"><a class="reference internal" href="../macos/">在 MacOS 上构建</a></li>
<li class="toctree-l2"><a class="reference internal" href="../messenger/">Messenger notes</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mon-bootstrap/">Monitor bootstrap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mon-elections/">Monitor Elections</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mon-on-disk-formats/">ON-DISK FORMAT</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mon-osdmap-prune/">FULL OSDMAP VERSION PRUNING</a></li>
<li class="toctree-l2"><a class="reference internal" href="../msgr2/">msgr2 协议（ msgr2.0 和 msgr2.1 ）</a></li>
<li class="toctree-l2"><a class="reference internal" href="../network-encoding/">Network Encoding</a></li>
<li class="toctree-l2"><a class="reference internal" href="../network-protocol/">网络协议</a></li>
<li class="toctree-l2"><a class="reference internal" href="../object-store/">对象存储架构概述</a></li>
<li class="toctree-l2"><a class="reference internal" href="../osd-class-path/">OSD class path issues</a></li>
<li class="toctree-l2"><a class="reference internal" href="../peering/">互联</a></li>
<li class="toctree-l2"><a class="reference internal" href="../perf/">Using perf</a></li>
<li class="toctree-l2"><a class="reference internal" href="../perf_counters/">性能计数器</a></li>
<li class="toctree-l2"><a class="reference internal" href="../perf_histograms/">Perf histograms</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement-group/">PG （归置组）说明</a></li>
<li class="toctree-l2"><a class="reference internal" href="../quick_guide/">开发者指南（快速）</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rados-client-protocol/">RADOS 客户端协议</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rbd-diff/">RBD 增量备份</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rbd-export/">RBD Export &amp; Import</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rbd-layering/">RBD Layering</a></li>
<li class="toctree-l2"><a class="reference internal" href="../release-checklists/">Release checklists</a></li>
<li class="toctree-l2"><a class="reference internal" href="../release-process/">Ceph Release Process</a></li>
<li class="toctree-l2"><a class="reference internal" href="../seastore/">SeaStore</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sepia/">Sepia 社区测试实验室</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session_authentication/">Session Authentication for the Cephx Protocol</a></li>
<li class="toctree-l2"><a class="reference internal" href="../testing/">测试笔记</a></li>
<li class="toctree-l2"><a class="reference internal" href="../versions/">Public OSD Version</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vstart-ganesha/">NFS CephFS-RGW Developer Guide</a></li>
<li class="toctree-l2"><a class="reference internal" href="../wireshark/">Wireshark Dissector</a></li>
<li class="toctree-l2"><a class="reference internal" href="../zoned-storage/">Zoned Storage Support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../osd_internals/">OSD 开发者文档</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mds_internals/">MDS 开发者文档</a></li>
<li class="toctree-l2"><a class="reference internal" href="../radosgw/">RADOS 网关开发者文档</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ceph-volume/">ceph-volume 开发者文档</a></li>
<li class="toctree-l2"><a class="reference internal" href="../crimson/">Crimson developer documentation</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="ceph-kerberos">
<h1>如何配置好 Ceph Kerberos 认证的详细文档<a class="headerlink" href="#ceph-kerberos" title="Permalink to this headline">¶</a></h1>
<p>This document provides details on the Kerberos authorization protocol. This is
the 1st draft and we will try to keep it updated along with code changes that
might take place.</p>
<p>Several free implementations of this protocol are available (MIT, Heimdal,
MS…), covering a wide range of operating systems. The Massachusetts
Institute of Technology (MIT), where Kerberos was originally developed,
continues to develop their Kerberos package and it is the implementation we
chose to work with. <a class="reference external" href="http://web.mit.edu/Kerberos/">MIT Kerberos</a>.</p>
<p>Please, provide feedback to Daniel Oliveira (<a class="reference external" href="mailto:doliveira&#37;&#52;&#48;suse&#46;com">doliveira<span>&#64;</span>suse<span>&#46;</span>com</a>)</p>
<p><em>Last update: Dec 3, 2018</em></p>
<div class="line-block">
<div class="line"><br /></div>
</div>
<div class="section" id="id1">
<h2>背景知识<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h2>
<p>Before we get into <em>Kerberos details</em>, let us define a few terms so we can
understand what to expect from it, <em>what it can and can’t do</em>:</p>
<dl>
<dt>Directory Services</dt><dd><p>A directory service is a customizable information store that functions as
a single point from which users can locate resources and services
distributed throughout the network. This customizable information store
also gives administrators a single point for managing its objects and their
attributes. Although this information store appears as a single point to
the users of the network, it is actually most often stored in a distributed
form. A directory service consists of at least one <em>Directory Server and a
Directory Client</em> and are implemented based on <em>X.500 standards</em>.</p>
<p><em>OpenLDAP, 389 Directory Server, MS Active Directory, NetIQ eDirectory</em> are
some good examples.</p>
<p>A directory service is often characterized as a <em>write-once-read-many-times
service</em>, meaning the data that would normally be stored in an directory
service would not be expected to change on every access.</p>
<p>The database that forms a directory service <em>is not designed for
transactional data</em>.</p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl>
<dt>LDAP (Lightweight Directory Access Protocol v3)</dt><dd><p>LDAP is a set of LDAP Protocol Exchanges <em>(not an implementation of a
server)</em> that defines the method by which data is accessed. LDAPv3 is a
standard defined by the IETF in RFC 2251 and describes how data is
represented in the Directory Service (the Data Model or DIT).</p>
<p>Finally, it defines how data is loaded into (imported) and saved from
(exported) a directory service (using LDIF). LDAP does not define how data
is stored or manipulated. Data Store is an ‘automagic’ process as far as
the standard is concerned and is generally handled by back-end modules.</p>
<p>No Directory Service implementation has all the features of LDAP v3
protocol implemented. All Directory Server implementations have their
different problems and/or anomalies, and features that may not return
results as another Directory Server implementation would.</p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl>
<dt>Authentication</dt><dd><p>Authentication is about validating credentials (like User Name/ID and
password) to verify the identity. The system determines whether one is what
they say they are using their credentials.</p>
<p>Usually, authentication is done by a username and password, and sometimes
in conjunction with <em>(single, two, or multi) factors of authentication</em>,
which refers to the various ways to be authenticated.</p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl class="simple">
<dt>Authorization</dt><dd><p>Authorization occurs after the identity is successfully authenticated by
the system, which ultimately gives one full permission to access the
resources such as information, files, databases, and so forth, almost
anything. It determines the ability to access the system and up to what
extent (what kind of permissions/rights are given and to where/what).</p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl class="simple">
<dt>Auditing</dt><dd><p>Auditing takes the results from both <em>authentication and authorization</em> and
records them into an audit log. The audit log records records all actions
taking by/during the authentication and authorization for later review by
the administrators. While authentication and authorization are preventive
systems (in which unauthorized access is prevented), auditing is a reactive
system (in which it gives detailed log of how/when/where someone accessed
the environment).</p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl>
<dt>Kerberos (KRB v5)</dt><dd><p>Kerberos is a network <em>authentication protocol</em>. It is designed to provide
strong authentication for client/server applications by using secret-key
cryptography (symmetric key). A free implementation of this protocol is
available from the MIT. However, Kerberos is available in many commercial
products as well.</p>
<p>It was designed to provide secure authentication to services over an
insecure network. Kerberos uses tickets to authenticate a user, or service
application and never transmits passwords over the network in the clear.
So both client and server can prove their identity without sending any
unencrypted secrets over the network.</p>
<p>Kerberos can be used for single sign-on (SSO). The idea behind SSO is
simple, we want to login just once and be able to use any service that we
are entitled to, without having to login on each of those services.</p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl>
<dt>Simple Authentication and Security Layer (SASL)</dt><dd><p>SASL <strong>(RFC 4422)</strong> is a framework that helps developers to implement
different authentication mechanisms (implementing a series of challenges
and responses), allowing both clients and servers to negotiate a mutually
acceptable mechanism for each connection, instead of hard-coding them.</p>
<p>Examples of SASL mechanisms:</p>
<blockquote>
<div><ul>
<li><p>ANONYMOUS <strong>(RFC 4505)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>For guest access, meaning <em>unauthenticated</em></p></li>
</ul>
</div></blockquote>
</li>
<li><p>CRAM-MD5 <strong>(RFC 2195)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>Simple challenge-response scheme based on <em>HMAC-MD5</em>.
It does not establish any security layer. <em>Less secure than
DIGEST-MD5 and GSSAPI.</em></p></li>
</ul>
</div></blockquote>
</li>
<li><p>DIGEST-MD5 <strong>(RFC 2831)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>HTTP Digest compatible <em>(partially)</em> challenge-response scheme
based upon MD5, offering a <em>data security layer</em>. It is preferred
over PLAIN text passwords, protecting against plain text attacks.
It is a mandatory authentication method for LDAPv3 servers.</p></li>
</ul>
</div></blockquote>
</li>
<li><p>EXTERNAL <strong>(RFCs 4422, 5246, 4301, 2119)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>Where <em>authentication is implicit</em> in the context (i.e; for
protocols using IPsec or TLS [TLS/SSL to performing certificate-
based authentication] already). This method uses public keys for
strong authentication.</p></li>
</ul>
</div></blockquote>
</li>
<li><p>GS2 <strong>(RFC 5801)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>Family of mechanisms supports arbitrary GSS-API mechanisms in
SASL</p></li>
</ul>
</div></blockquote>
</li>
<li><p>NTLM (MS Proprietary)</p>
<blockquote>
<div><ul class="simple">
<li><p>MS Windows NT LAN Manager authentication mechanism</p></li>
</ul>
</div></blockquote>
</li>
<li><p>OAuth 1.0/2.0 <strong>(RFCs 5849, 6749, 7628)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>Authentication protocol for delegated resource access</p></li>
</ul>
</div></blockquote>
</li>
<li><p>OTP <strong>(RFC 2444)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>One-time password mechanism <em>(obsoletes the SKEY mechanism)</em></p></li>
</ul>
</div></blockquote>
</li>
<li><p>PLAIN <strong>(RFC 4616)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>Simple Cleartext password mechanism <strong>(RFC 4616)</strong>. This is not a
preferred mechanism for most applications because of its relative
lack of strength.</p></li>
</ul>
</div></blockquote>
</li>
<li><p>SCRAM <strong>(RFCs 5802, 7677)</strong></p>
<blockquote>
<div><ul class="simple">
<li><p>Modern challenge-response scheme based mechanism with channel
binding support</p></li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl>
<dt>Generic Security Services Application Program Interface (GSSAPI)</dt><dd><p>GSSAPI <strong>(RFCs 2078, 2743, 2744, 4121, 4752)</strong> is widely used by protocol
implementers as a way to implement Kerberos v5 support in their
applications. It provides a generic interface and message format that can
encapsulate authentication exchanges from any authentication method that
has a GSSAPI-compliant library.</p>
<p>It does not define a protocol, authentication, or security mechanism
itself; it instead makes it easier for application programmers to support
multiple authentication mechanisms by providing a uniform, generic API for
security services. It is a set of functions that include both an API and a
methodology for approaching authentication, aiming to insulate application
protocols from the specifics of security protocols as much as possible.</p>
<p><em>Microsoft Windows Kerberos</em> implementation does not include GSSAPI support
but instead includes a <em>Microsoft-specific API</em>, the <em>Security Support
Provider Interface (SSPI)</em>. In Windows, an SSPI client can communicate with
a <em>GSSAPI server</em>.</p>
<p><em>Most applications that support GSSAPI also support Kerberos v5.</em></p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<dl>
<dt>Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)</dt><dd><p>As we can see, GSSAPI solves the problem of providing a single API to
different authentication mechanisms. However, it does not solve the problem
of negotiating which mechanism to use. In fact for GSSAPI to work, the two
applications communicating with each other must know in advance what
authentication mechanism they plan to use, which usually is not a problem
if only one mechanism is supported (meaning Kerberos v5).</p>
<p>However, if there are multiple mechanisms to choose from, a method is
needed to securely negotiate an authentication mechanism that is mutually
supported between both client and server; which is where
<em>SPNEGO (RFC 2478, 4178)</em> makes a difference.</p>
<p><em>SPNEGO</em> provides a framework for two parties that are engaged in
authentication to select from a set of possible authentication mechanisms,
in a manner that preserves the opaque nature of the security protocols to
the application protocol that uses it.</p>
<p>It is a security protocol that uses a <em>GSSAPI authentication mechanism</em> and
negotiates among several available authentication mechanisms in an
implementation, selecting one for use to satisfy the authentication needs
of the application protocol.</p>
<p>It is a <em>meta protocol</em> that travels entirely in other application
protocols; it is never used directly without an application protocol.</p>
</dd>
</dl>
<div class="line-block">
<div class="line"><br /></div>
</div>
<p><em>Why is this important and why do we care? Like, at all?</em></p>
<blockquote>
<div><p>Having this background information in mind, we can easily describe things
like:</p>
<blockquote>
<div><p>1. <em>Ceph Kerberos authentication</em> is based totally on MIT <em>Kerberos</em>
implementation using <em>GSSAPI</em>.</p>
<p>2. At the moment we are still using <em>Kerberos default backend
database</em>, however we plan on adding LDAP as a backend which would
provide us with <em>authentication with GSSAPI (KRB5)</em> and <em>authorization
with LDAP (LDAPv3)</em>, via <em>SASL mechanism</em>.</p>
</div></blockquote>
</div></blockquote>
<div class="line-block">
<div class="line"><br /></div>
</div>
</div>
<div class="section" id="id2">
<h2>开工之前<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h2>
<p>We assume the environment already has some external services up and running
properly:</p>
<blockquote>
<div><ul>
<li><p>Kerberos needs to be properly configured, which also means (for both
every server and KDC):</p>
<blockquote>
<div><ul>
<li><p>Time Synchronization (either using <a class="reference external" href="http://www.ntp.org/">NTP</a>  or <a class="reference external" href="https://chrony.tuxfamily.org/">chrony</a>).</p>
<blockquote>
<div><ul class="simple">
<li><p>Not only Kerberos, but also Ceph depends and relies on time
synchronization.</p></li>
</ul>
</div></blockquote>
</li>
<li><p>DNS resolution</p>
<blockquote>
<div><ul class="simple">
<li><p>Both <em>(forward and reverse)</em> zones, with <em>fully qualified domain
name (fqdn)</em> <code class="docutils literal notranslate"><span class="pre">(hostname</span> <span class="pre">+</span> <span class="pre">domain.name)</span></code></p></li>
<li><p>KDC discover can be set up to to use DNS <code class="docutils literal notranslate"><span class="pre">(srv</span> <span class="pre">resources)</span></code> as
service location protocol <em>(RFCs 2052, 2782)</em>, as well as <em>host
or domain</em> to the <em>appropriate realm</em> <code class="docutils literal notranslate"><span class="pre">(txt</span> <span class="pre">record)</span></code>.</p></li>
<li><p>Even though these DNS entries/settings are not required to run a
<code class="docutils literal notranslate"><span class="pre">Kerberos</span> <span class="pre">realm</span></code>, they certainly help to eliminate the need for
manual configuration on all clients.</p></li>
<li><p>This is extremely important, once most of the Kerberos issues are
usually related to name resolution. Kerberos is very picky when
checking on systems names and host lookups.</p></li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
</li>
<li><p>Whenever possible, in order to avoid a <em>single point of failure</em>, set up
a <em>backup, secondary, or slave</em>, for every piece/part in the
infrastructure <code class="docutils literal notranslate"><span class="pre">(ntp,</span> <span class="pre">dns,</span> <span class="pre">and</span> <span class="pre">kdc</span> <span class="pre">servers)</span></code>.</p></li>
</ul>
</div></blockquote>
<p>Also, the following <em>Kerberos terminology</em> is important:</p>
<blockquote>
<div><ul>
<li><p>Ticket</p>
<blockquote>
<div><ul>
<li><p>Tickets or Credentials, are a set of information that can be used to
verify the client’s identity. Kerberos tickets may be stored in a
file, or they may exist only in memory.</p></li>
<li><p>The first ticket obtained is a ticket-granting ticket (TGT), which
allows the clients to obtain additional tickets. These additional
tickets give the client permission for specific services. The
requesting and granting of these additional tickets happens
transparently.</p>
<blockquote>
<div><ul class="simple">
<li><p>The TGT, which expires at a specified time, permits the client to
obtain additional tickets, which give permission for specific
services. The requesting and granting of these additional tickets
is user-transparent.</p></li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
</li>
<li><p>Key Distribution Center (KDC).</p>
<blockquote>
<div><ul>
<li><p>The KDC creates a ticket-granting ticket (TGT) for the client,
encrypts it using the client’s password as the key, and sends the
encrypted TGT back to the client. The client then attempts to decrypt
the TGT, using its password. If the client successfully decrypts the
TGT (i.e., if the client gave the correct password), it keeps the
decrypted TGT, which indicates proof of the client’s identity.</p></li>
<li><p>The KDC is comprised of three components:</p>
<blockquote>
<div><ul class="simple">
<li><p>Kerberos database, which stores all the information about the
principals and the realm they belong to, among other things.</p></li>
<li><p>Authentication service (AS)</p></li>
<li><p>Ticket-granting service (TGS)</p></li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
</li>
<li><p>Client</p>
<blockquote>
<div><ul class="simple">
<li><p>Either a <em>user, host or a service</em> who sends a request for a ticket.</p></li>
</ul>
</div></blockquote>
</li>
<li><p>Principal</p>
<blockquote>
<div><ul>
<li><p>It is a unique identity to which Kerberos can assign tickets.
Principals can have an arbitrary number of components. Each component
is separated by a component separator, generally <code class="docutils literal notranslate"><span class="pre">/</span></code>. The last
component is the <em>realm</em>, separated from the rest of the principal by
the realm separator, generally <code class="docutils literal notranslate"><span class="pre">&#64;</span></code>.</p></li>
<li><p>If there is no realm component in the principal, then it will be
assumed that the principal is in the default realm for the context in
which it is being used.</p></li>
<li><p>Usually, a principal is divided into three parts:</p>
<blockquote>
<div><ul>
<li><p>The <code class="docutils literal notranslate"><span class="pre">primary</span></code>, the <code class="docutils literal notranslate"><span class="pre">instance</span></code>, and the <code class="docutils literal notranslate"><span class="pre">realm</span></code></p></li>
<li><p>The format of a typical Kerberos V5 principal is
<code class="docutils literal notranslate"><span class="pre">primary/instance&#64;REALM</span></code>.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">primary</span></code> is the first part of the principal. In the case
of a user, it’s the same as the <code class="docutils literal notranslate"><span class="pre">username</span></code>. For a host, the
primary is the word <code class="docutils literal notranslate"><span class="pre">host</span></code>. For Ceph, will use <code class="docutils literal notranslate"><span class="pre">ceph</span></code> as a
primary name which makes it easier to organize and identify Ceph
related principals.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">instance</span></code> is an optional string that qualifies the
primary. The instance is separated from the primary by a slash
<code class="docutils literal notranslate"><span class="pre">/</span></code>. In the case of a user, the instance is usually <code class="docutils literal notranslate"><span class="pre">null</span></code>,
but a user might also have an additional principal, with an
instance called <code class="docutils literal notranslate"><span class="pre">admin</span></code>, which one uses to administrate a
database.</p>
<p>The principal <code class="docutils literal notranslate"><span class="pre">johndoe&#64;MYDOMAIN.COM</span></code> is completely separate
from the principal <code class="docutils literal notranslate"><span class="pre">johndoe/admin&#64;MYDOMAIN.COM</span></code>, with a
separate password, and separate permissions. In the case of a
host, the instance is the fully qualified hostname,
i.e., <code class="docutils literal notranslate"><span class="pre">osd1.MYDOMAIN.COM</span></code>.</p>
</li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">realm</span></code> is the Kerberos realm. Usually, the Kerberos realm
is the domain name, in <em>upper-case letters</em>. For example, the
machine <code class="docutils literal notranslate"><span class="pre">osd1.MYDOMAIN.COM</span></code> would be in the realm
<code class="docutils literal notranslate"><span class="pre">MYDOMAIN.COM</span></code>.</p></li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
</li>
<li><p>Keytab</p>
<blockquote>
<div><ul>
<li><p>A keytab file stores the actual encryption key that can be used in
lieu of a password challenge for a given principal. Creating keytab
files are useful for noninteractive principals, such as <em>Service
Principal Names</em>, which are often associated with long-running
processes like Ceph daemons. A keytab file does not have to be a
“1:1 mapping” to a single principal. Multiple different principal
keys can be stored in a single keytab file:</p>
<blockquote>
<div><ul class="simple">
<li><p>The keytab file allows a user/service to authenticate without
knowledge of the password. Due to this, <em>keytabs should be
protected</em> with appropriate controls to prevent unauthorized
users from authenticating with it.</p></li>
<li><p>The default client keytab file is <code class="docutils literal notranslate"><span class="pre">/etc/krb5.keytab</span></code></p></li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
<div class="line-block">
<div class="line"><br /></div>
</div>
</div>
<div class="section" id="ceph">
<h2>Ceph 这边的配置<a class="headerlink" href="#ceph" title="Permalink to this headline">¶</a></h2>
<p>In order to configure connections (from Ceph nodes) to the KDC:</p>
<ol class="arabic">
<li><p>Login to the Kerberos client (Ceph server nodes) and confirm it is properly
configured, by checking and editing <code class="docutils literal notranslate"><span class="pre">/etc/krb5.conf</span></code> file properly:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">conf</span>
<span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
    <span class="n">dns_canonicalize_hostname</span> <span class="o">=</span> <span class="n">false</span>
    <span class="n">rdns</span> <span class="o">=</span> <span class="n">false</span>
    <span class="n">forwardable</span> <span class="o">=</span> <span class="n">true</span>
    <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">true</span>
    <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span>
    <span class="n">allow_weak_crypto</span> <span class="o">=</span> <span class="n">false</span>
    <span class="n">default_realm</span> <span class="o">=</span> <span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
    <span class="n">default_ccache_name</span> <span class="o">=</span> <span class="n">KEYRING</span><span class="p">:</span><span class="n">persistent</span><span class="p">:</span><span class="o">%</span><span class="p">{</span><span class="n">uid</span><span class="p">}</span>
<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
    <span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span>
        <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span>
        <span class="o">...</span>
    <span class="p">}</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
<li><p>Login to the <em>KDC Server</em> and confirm it is properly configured to
authenticate to the Kerberos realm in question:</p>
<blockquote>
<div><ol class="loweralpha">
<li><p>Kerberos related DNS RRs:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">named</span><span class="o">/</span><span class="n">master</span><span class="o">/</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span>
<span class="n">kerberos</span>                <span class="n">IN</span> <span class="n">A</span>        <span class="mf">192.168.10.21</span>
<span class="n">kerberos</span><span class="o">-</span><span class="n">slave</span>          <span class="n">IN</span> <span class="n">A</span>        <span class="mf">192.168.10.22</span>
<span class="n">_kerberos</span>               <span class="n">IN</span> <span class="n">TXT</span>      <span class="s2">&quot;MYDOMAIN.COM&quot;</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">_udp</span>          <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">1</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">_tcp</span>          <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">1</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">_udp</span>          <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">20</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span><span class="o">-</span><span class="n">slave</span>
<span class="n">_kerberos</span><span class="o">-</span><span class="n">master</span><span class="o">.</span><span class="n">_udp</span>   <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">0</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span>
<span class="n">_kerberos</span><span class="o">-</span><span class="n">adm</span><span class="o">.</span><span class="n">_tcp</span>      <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">0</span> <span class="mi">0</span> <span class="mi">749</span> <span class="n">kerberos</span>
<span class="n">_kpasswd</span><span class="o">.</span><span class="n">_udp</span>           <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">0</span> <span class="mi">0</span> <span class="mi">464</span> <span class="n">kerberos</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
<li><p>KDC configuration file:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">conf</span>
<span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span>
        <span class="n">kdc_ports</span> <span class="o">=</span> <span class="mi">750</span><span class="p">,</span><span class="mi">88</span>
<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
        <span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
            <span class="n">acl_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">acl</span>
            <span class="n">admin_keytab</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">keytab</span>
            <span class="n">default_principal_flags</span> <span class="o">=</span> <span class="o">+</span><span class="n">postdateable</span> <span class="o">+</span><span class="n">forwardable</span> <span class="o">+</span><span class="n">renewable</span> <span class="o">+</span><span class="n">proxiable</span>
                                                    <span class="o">+</span><span class="n">dup</span><span class="o">-</span><span class="n">skey</span> <span class="o">-</span><span class="n">preauth</span> <span class="o">-</span><span class="n">hwauth</span> <span class="o">+</span><span class="n">service</span>
                                                    <span class="o">+</span><span class="n">tgt</span><span class="o">-</span><span class="n">based</span> <span class="o">+</span><span class="n">allow</span><span class="o">-</span><span class="n">tickets</span> <span class="o">-</span><span class="n">pwchange</span>
                                                    <span class="o">-</span><span class="n">pwservice</span>
            <span class="n">dict_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">dict</span>
            <span class="n">key_stash_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/.</span><span class="n">k5</span><span class="o">.</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
            <span class="n">kdc_ports</span> <span class="o">=</span> <span class="mi">750</span><span class="p">,</span><span class="mi">88</span>
            <span class="n">max_life</span> <span class="o">=</span> <span class="mi">0</span><span class="n">d</span> <span class="mi">10</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
            <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
        <span class="p">}</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
</ol>
</div></blockquote>
</li>
<li><p>Still on the KDC Server, run the Kerberos administration utility;
<code class="docutils literal notranslate"><span class="pre">kadmin.local</span></code> so we can list all the principals already created.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">listprincs</span>
<span class="n">K</span><span class="o">/</span><span class="n">M</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">krbtgt</span><span class="o">/</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">changepw</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">history</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
<li><p>Add a <em>principal for each Ceph cluster node</em> we want to be authenticated by
Kerberos:</p>
<blockquote>
<div><ol class="loweralpha">
<li><p>Adding principals:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span>
<span class="n">Principal</span> <span class="s2">&quot;ceph/ceph-mon1@MYDOMAIN.COM&quot;</span> <span class="n">created</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd1</span>
<span class="n">Principal</span> <span class="s2">&quot;ceph/ceph-osd1@MYDOMAIN.COM&quot;</span> <span class="n">created</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd2</span>
<span class="n">Principal</span> <span class="s2">&quot;ceph/ceph-osd2@MYDOMAIN.COM&quot;</span> <span class="n">created</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd3</span>
<span class="n">Principal</span> <span class="s2">&quot;ceph/ceph-osd3@MYDOMAIN.COM&quot;</span> <span class="n">created</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">addprinc</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd4</span>
<span class="n">Principal</span> <span class="s2">&quot;ceph/ceph-osd4@MYDOMAIN.COM&quot;</span> <span class="n">created</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">listprincs</span>
<span class="n">K</span><span class="o">/</span><span class="n">M</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">krbtgt</span><span class="o">/</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">changepw</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">history</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd1</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd2</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd3</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd4</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
<li><p>This follows the same idea if we are creating a <em>user principal</em></p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">addprinc</span> <span class="n">johndoe</span>
<span class="n">WARNING</span><span class="p">:</span> <span class="n">no</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="n">johndoe</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="p">;</span> <span class="n">defaulting</span> <span class="n">to</span> <span class="n">no</span> <span class="n">policy</span>
<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">&quot;johndoe@MYDOMAIN.COM&quot;</span><span class="p">:</span>
<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">&quot;johndoe@MYDOMAIN.COM&quot;</span><span class="p">:</span>
<span class="n">Principal</span> <span class="s2">&quot;johndoe@MYDOMAIN.COM&quot;</span> <span class="n">created</span><span class="o">.</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
</ol>
</div></blockquote>
</li>
<li><p>Create a <em>keytab file</em> for each Ceph cluster node:</p>
<blockquote>
<div><p>As the default client keytab file is <code class="docutils literal notranslate"><span class="pre">/etc/krb5.keytab</span></code>, we will want to
use a different file name, so we especify which <em>keytab file to create</em> and
which <em>principal to export keys</em> from:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_mon1</span><span class="o">.</span><span class="n">ktab</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_mon1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_mon1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_mon1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_mon1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd1</span><span class="o">.</span><span class="n">ktab</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd1</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd1</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd1</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd2</span><span class="o">.</span><span class="n">ktab</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd2</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd2</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd2</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd2</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd2</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd2</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd2</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd2</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">2</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd2</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd3</span><span class="o">.</span><span class="n">ktab</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd3</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd3</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd3</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd3</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd3</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd3</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd3</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd3</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">3</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd3</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd4</span><span class="o">.</span><span class="n">ktab</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd4</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd4</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd4</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd4</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd4</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd4</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd4</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>
<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">osd4</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">4</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd4</span><span class="o">.</span><span class="n">ktab</span><span class="o">.</span>

<span class="c1"># ls -1 /etc/gss_client_*</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_mon1</span><span class="o">.</span><span class="n">ktab</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd1</span><span class="o">.</span><span class="n">ktab</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd2</span><span class="o">.</span><span class="n">ktab</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd3</span><span class="o">.</span><span class="n">ktab</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_osd4</span><span class="o">.</span><span class="n">ktab</span>
</pre></div>
</div>
<p>We can also check these newly created keytab client files by:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># klist -kte /etc/gss_client_mon1.ktab</span>
<span class="n">Keytab</span> <span class="n">name</span><span class="p">:</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">gss_client_mon1</span><span class="o">.</span><span class="n">ktab</span>
<span class="n">KVNO</span> <span class="n">Timestamp</span>           <span class="n">Principal</span>
<span class="o">----</span> <span class="o">-------------------</span> <span class="o">------------------------------------------------------</span>
   <span class="mi">2</span> <span class="mi">10</span><span class="o">/</span><span class="mi">8</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">14</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">30</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="p">(</span><span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">)</span>
   <span class="mi">2</span> <span class="mi">10</span><span class="o">/</span><span class="mi">8</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">14</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">31</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="p">(</span><span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span><span class="p">)</span>
   <span class="mi">2</span> <span class="mi">10</span><span class="o">/</span><span class="mi">8</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">14</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">31</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="p">(</span><span class="n">des3</span><span class="o">-</span><span class="n">cbc</span><span class="o">-</span><span class="n">sha1</span><span class="p">)</span>
   <span class="mi">2</span> <span class="mi">10</span><span class="o">/</span><span class="mi">8</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">14</span><span class="p">:</span><span class="mi">35</span><span class="p">:</span><span class="mi">31</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="p">(</span><span class="n">arcfour</span><span class="o">-</span><span class="n">hmac</span><span class="p">)</span>
<span class="o">...</span>
</pre></div>
</div>
</div></blockquote>
</li>
<li><p>A new <em>set parameter</em> was added in Ceph, <code class="docutils literal notranslate"><span class="pre">gss</span> <span class="pre">ktab</span> <span class="pre">client</span> <span class="pre">file</span></code> which
points to the keytab file related to the Ceph node <em>(or principal)</em> in
question.</p>
<blockquote>
<div><p>By default it points to <code class="docutils literal notranslate"><span class="pre">/var/lib/ceph/$name/gss_client_$name.ktab</span></code>. So,
in the case of a Ceph server <code class="docutils literal notranslate"><span class="pre">osd1.mydomain.com</span></code>, the location and name
of the keytab file should be: <code class="docutils literal notranslate"><span class="pre">/var/lib/ceph/osd1/gss_client_osd1.ktab</span></code></p>
<p>Therefore, we need to <code class="docutils literal notranslate"><span class="pre">scp</span></code> each of these newly created keytab files from
the KDC to their respective Ceph cluster nodes (i.e):
<code class="docutils literal notranslate"><span class="pre">#</span> <span class="pre">for</span> <span class="pre">node</span> <span class="pre">in</span> <span class="pre">mon1</span> <span class="pre">osd1</span> <span class="pre">osd2</span> <span class="pre">osd3</span> <span class="pre">osd4;</span> <span class="pre">do</span> <span class="pre">scp</span> <span class="pre">/etc/gss_client_$node*.ktab</span> <span class="pre">root&#64;ceph-$node:/var/lib/ceph/$node/;</span> <span class="pre">done</span></code></p>
<p>Or whatever other way one feels comfortable with, as long as each keytab
client file gets copied over to the proper location.</p>
<p>At this point, even <em>without using any keytab client file</em> we should be
already able to authenticate a <em>user principal</em>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># kdestroy -A &amp;&amp; kinit -f johndoe &amp;&amp; klist -f</span>
<span class="n">Password</span> <span class="k">for</span> <span class="n">johndoe</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span>
<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="n">KEYRING</span><span class="p">:</span><span class="n">persistent</span><span class="p">:</span><span class="mi">0</span><span class="p">:</span><span class="mi">0</span>
<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">johndoe</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>

<span class="n">Valid</span> <span class="n">starting</span>       <span class="n">Expires</span>              <span class="n">Service</span> <span class="n">principal</span>
<span class="mi">10</span><span class="o">/</span><span class="mi">10</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">15</span><span class="p">:</span><span class="mi">32</span><span class="p">:</span><span class="mi">01</span>  <span class="mi">10</span><span class="o">/</span><span class="mi">11</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">07</span><span class="p">:</span><span class="mi">32</span><span class="p">:</span><span class="mi">01</span>  <span class="n">krbtgt</span><span class="o">/</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
    <span class="n">renew</span> <span class="n">until</span> <span class="mi">10</span><span class="o">/</span><span class="mi">11</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">15</span><span class="p">:</span><span class="mi">32</span><span class="p">:</span><span class="mi">01</span><span class="p">,</span> <span class="n">Flags</span><span class="p">:</span> <span class="n">FRI</span>
<span class="o">...</span>
</pre></div>
</div>
<p>Given that the <em>keytab client file</em> is/should already be copied and available at the
Kerberos client (Ceph cluster node), we should be able to athenticate using it before
going forward:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># kdestroy -A &amp;&amp; kinit -k -t /etc/gss_client_mon1.ktab -f &#39;ceph/ceph-mon1@MYDOMAIN.COM&#39; &amp;&amp; klist -f</span>
<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="n">KEYRING</span><span class="p">:</span><span class="n">persistent</span><span class="p">:</span><span class="mi">0</span><span class="p">:</span><span class="mi">0</span>
<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">ceph</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="n">mon1</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>

<span class="n">Valid</span> <span class="n">starting</span>       <span class="n">Expires</span>              <span class="n">Service</span> <span class="n">principal</span>
<span class="mi">10</span><span class="o">/</span><span class="mi">10</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">15</span><span class="p">:</span><span class="mi">54</span><span class="p">:</span><span class="mi">25</span>  <span class="mi">10</span><span class="o">/</span><span class="mi">11</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">07</span><span class="p">:</span><span class="mi">54</span><span class="p">:</span><span class="mi">25</span>  <span class="n">krbtgt</span><span class="o">/</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
    <span class="n">renew</span> <span class="n">until</span> <span class="mi">10</span><span class="o">/</span><span class="mi">11</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">15</span><span class="p">:</span><span class="mi">54</span><span class="p">:</span><span class="mi">25</span><span class="p">,</span> <span class="n">Flags</span><span class="p">:</span> <span class="n">FRI</span>
<span class="o">...</span>
</pre></div>
</div>
</div></blockquote>
</li>
<li><p>The default client keytab is used, if it is present and readable, to
automatically obtain initial credentials for GSSAPI client applications. The
principal name of the first entry in the client keytab is used by default
when obtaining initial credentials:</p>
<blockquote>
<div><ol class="loweralpha simple">
<li><p>The <code class="docutils literal notranslate"><span class="pre">KRB5_CLIENT_KTNAME</span> <span class="pre">environment</span></code> variable.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">default_client_keytab_name</span></code> profile variable in <code class="docutils literal notranslate"><span class="pre">[libdefaults]</span></code>.</p></li>
<li><p>The hardcoded default, <code class="docutils literal notranslate"><span class="pre">DEFCKTNAME</span></code>.</p></li>
</ol>
<p>So, what we do is to internally, set the environment variable
<code class="docutils literal notranslate"><span class="pre">KRB5_CLIENT_KTNAME</span></code> to the same location as <code class="docutils literal notranslate"><span class="pre">gss_ktab_client_file</span></code>,
so <code class="docutils literal notranslate"><span class="pre">/var/lib/ceph/osd1/gss_client_osd1.ktab</span></code>, and change the <code class="docutils literal notranslate"><span class="pre">ceph.conf</span></code>
file to add the new authentication method.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>/etc/ceph/ceph.conf
[global]
    ...
    auth cluster required = gss
    auth service required = gss
    auth client required = gss
    gss ktab client file = /{$my_new_location}/{$my_new_ktab_client_file.keytab}
    ...
</pre></div>
</div>
</div></blockquote>
</li>
<li><p>With that the GSSAPIs will then be able to read the keytab file and using
the process of name and service resolution <em>(provided by the DNS)</em>, able to
request a <em>TGT</em> as follows:</p>
<blockquote>
<div><ol class="loweralpha simple">
<li><p>User/Client sends principal identity and credentials to the KDC Server
(TGT request).</p></li>
<li><p>KDC checks its internal database for the principal in question.</p></li>
<li><p>a TGT is created and wrapped by the KDC, using the principal’s key
(TGT + Key).</p></li>
<li><p>The newly created TGT, is decrypted and stored in the credentials
cache.</p></li>
<li><p>At this point, Kerberos/GSSAPI aware applications (and/or services) are
able to check the list of active TGT in the keytab file.</p></li>
</ol>
</div></blockquote>
</li>
</ol>
<div class="line-block">
<div class="line"><br /></div>
<div class="line"><br /></div>
</div>
<div class="section" id="id3">
<h3>** <em>仅适用于 Ceph 开发者</em> **<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
<p>We certainly could have used straight native <code class="docutils literal notranslate"><span class="pre">KRB5</span> <span class="pre">APIs</span></code> (instead of
<code class="docutils literal notranslate"><span class="pre">GSSAPIs</span></code>), but we wanted a more portable option as regards network security,
which is the hallmark of the <code class="docutils literal notranslate"><span class="pre">GSS</span></code> <em>(Generic Security Standard)</em> <code class="docutils literal notranslate"><span class="pre">-API</span></code>.
It does not actually provide security services itself.</p>
<p>Rather, it is a framework that provides security services to callers in a
generic way.</p>
<p>The GSS-API does two main things:</p>
<blockquote>
<div><ol class="arabic">
<li><p>It creates a security context in which data can be passed between
applications. A context can be thought of as a sort of <em>“state of trust”</em>
between two applications.</p>
<p>Applications that share a context know who each other are and thus can
permit data transfers between them as long as the context lasts.</p>
</li>
<li><p>It applies one or more types of protection, known as <em>“security services”</em>,
to the data to be transmitted.</p></li>
</ol>
</div></blockquote>
<p>GSS-API provides several types of portability for applications:</p>
<blockquote>
<div><ol class="loweralpha simple">
<li><p><strong>Mechanism independence.</strong> GSS-API provides a generic interface to the
mechanisms for which it has been implemented. By specifying a default
security mechanism, an application does not need to know which mechanism
it is using (for example, Kerberos v5), or even what type of mechanism
it uses. As an example, when an application forwards a user’s credential
to a server, it does not need to know if that credential has a Kerberos
format or the format used by some other mechanism, nor how the
credentials are stored by the mechanism and accessed by the application.
(If necessary, an application can specify a particular mechanism to use)</p></li>
<li><p><strong>Protocol independence.</strong> The GSS-API is independent of any
communications protocol or protocol suite. It can be used with
applications that use, for example, sockets, RCP, or TCP/IP.
RPCSEC_GSS “RPCSEC_GSS Layer” is an additional layer that smoothly
integrates GSS-API with RPC.</p></li>
<li><p><strong>Platform independence.</strong> The GSS-API is completely oblivious to the
type of operating system on which an application is running.</p></li>
<li><p><strong>Quality of Protection independence.</strong> Quality of Protection (QOP) is
the name given to the type of algorithm used in encrypting data or
generating cryptographic tags; the GSS-API allows a programmer to ignore
QOP, using a default provided by the GSS-API.
(On the other hand, an application can specify the QOP if necessary.)</p></li>
</ol>
<p>The basic security offered by the GSS-API is authentication. Authentication
is the verification of an identity: <em>if you are authenticated, it means
that you are recognized to be who you say you are.</em></p>
<p>The GSS-API provides for two additional security services, if supported by the
underlying mechanisms:</p>
<ol class="arabic">
<li><p><strong>Integrity:</strong> It’s not always sufficient to know that an application
sending you data is who it claims to be. The data itself could have
become corrupted or compromised.</p>
<p>The GSS-API provides for data to be accompanied by a cryptographic tag,
known as an <code class="docutils literal notranslate"><span class="pre">Message</span> <span class="pre">Integrity</span> <span class="pre">Code</span> <span class="pre">(MIC)</span></code>, to prove that the data
that arrives at your doorstep is the same as the data that the sender
transmitted. This verification of the data’s validity is known as
<em>“integrity”</em>.</p>
</li>
<li><p><strong>Confidentiality:</strong> Both authentication and integrity, however, leave
the data itself alone, so if it’s somehow intercepted, others can read
it.</p>
<p>The GSS-API therefore allows data to be encrypted, if underlying
mechanisms support it. This encryption of data is known as <em>“confidentiality”</em>.</p>
</li>
</ol>
</div></blockquote>
<div class="line-block">
<div class="line"><br /></div>
</div>
<p>Mechanisms Available With GSS-API:</p>
<blockquote>
<div><p>The current implementation of the GSS-API works only with the Kerberos v5 security
mechanism.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">Mechanism</span> <span class="n">Name</span>          <span class="n">Object</span> <span class="n">Identifier</span>       <span class="n">Shared</span> <span class="n">Library</span>  <span class="n">Kernel</span> <span class="n">Module</span>
<span class="o">----------------------</span>  <span class="o">----------------------</span>  <span class="o">--------------</span>  <span class="o">--------------</span>
<span class="n">diffie_hellman_640_0</span>    <span class="mf">1.3.6.4.1.42.2.26.2.4</span>   <span class="n">dh640</span><span class="o">-</span><span class="mf">0.</span><span class="n">so</span><span class="mf">.1</span>
<span class="n">diffie_hellman_1024_0</span>   <span class="mf">1.3.6.4.1.42.2.26.2.5</span>   <span class="n">dh1024</span><span class="o">-</span><span class="mf">0.</span><span class="n">so</span><span class="mf">.1</span>
<span class="n">SPNEGO</span>                  <span class="mf">1.3.6.1.5.5.2</span>
<span class="n">iakerb</span>                  <span class="mf">1.3.6.1.5.2.5</span>
<span class="n">SCRAM</span><span class="o">-</span><span class="n">SHA</span><span class="o">-</span><span class="mi">1</span>             <span class="mf">1.3.6.1.5.5.14</span>
<span class="n">SCRAM</span><span class="o">-</span><span class="n">SHA</span><span class="o">-</span><span class="mi">256</span>           <span class="mf">1.3.6.1.5.5.18</span>
<span class="n">GSS</span><span class="o">-</span><span class="n">EAP</span> <span class="p">(</span><span class="n">arc</span><span class="p">)</span>           <span class="mf">1.3.6.1.5.5.15.1.1</span><span class="o">.*</span>
<span class="n">kerberos_v5</span>             <span class="mf">1.2.840.113554.1.2.2</span>    <span class="n">gl</span><span class="o">/</span><span class="n">mech_krb5</span><span class="o">.</span><span class="n">so</span> <span class="n">gl_kmech_krb5</span>

<span class="n">Therefore</span><span class="p">:</span>
    <span class="n">Kerberos</span> <span class="n">Version</span> <span class="mi">5</span> <span class="n">GSS</span><span class="o">-</span><span class="n">API</span> <span class="n">Mechanism</span>
    <span class="n">OID</span> <span class="p">{</span><span class="mf">1.2.840.113554.1.2.2</span><span class="p">}</span>

    <span class="n">Kerberos</span> <span class="n">Version</span> <span class="mi">5</span> <span class="n">GSS</span><span class="o">-</span><span class="n">API</span> <span class="n">Mechanism</span>
    <span class="n">Simple</span> <span class="ow">and</span> <span class="n">Protected</span> <span class="n">GSS</span><span class="o">-</span><span class="n">API</span> <span class="n">Negotiation</span> <span class="n">Mechanism</span>
    <span class="n">OID</span> <span class="p">{</span><span class="mf">1.3.6.1.5.5.2</span><span class="p">}</span>
</pre></div>
</div>
<p>There are two different formats:</p>
<blockquote>
<div><ol class="arabic simple">
<li><p>The first, <code class="docutils literal notranslate"><span class="pre">{</span> <span class="pre">1</span> <span class="pre">2</span> <span class="pre">3</span> <span class="pre">4</span> <span class="pre">}</span></code>, is officially mandated by the GSS-API
specs. <code class="docutils literal notranslate"><span class="pre">gss_str_to_oid()</span></code> expects this first format.</p></li>
<li><p>The second, <code class="docutils literal notranslate"><span class="pre">1.2.3.4</span></code>, is more widely used but is not an official
standard format.</p></li>
</ol>
</div></blockquote>
<p>Although the GSS-API makes protecting data simple, it does not do certain
things, in order to maximize its generic nature. These include:</p>
<blockquote>
<div><ol class="loweralpha simple">
<li><p>Provide security credentials for a user or application. These must
be provided by the underlying security mechanism(s). The GSS-API
does allow applications to acquire credentials, either automatically
or explicitly.</p></li>
<li><p>Transfer data between applications. It is the application’s
responsibility to handle the transfer of all data between peers,
whether it is security-related or “plain” data.</p></li>
<li><p>Distinguish between different types of transmitted data (for
example, to know or determine that a data packet is plain data and
not GSS-API related).</p></li>
<li><p>Indicate status due to remote (asynchronous) errors.</p></li>
<li><p>Automatically protect information sent between processes of a
multiprocess program.</p></li>
<li><p>Allocate string buffers (“Strings and Similar Data”) to be passed to
GSS-API functions.</p></li>
<li><p>Deallocate GSS-API data spaces. These must be explicitly deallocated
with functions such as <code class="docutils literal notranslate"><span class="pre">gss_release_buffer()</span></code> and
<code class="docutils literal notranslate"><span class="pre">gss_delete_name()</span></code>.</p></li>
</ol>
</div></blockquote>
</div></blockquote>
<div class="line-block">
<div class="line"><br /></div>
</div>
<p>These are the basic steps in using the GSS-API:</p>
<blockquote>
<div><ol class="arabic simple">
<li><p>Each application, sender and recipient, acquires credentials explicitly,
if credentials have not been acquired automatically.</p></li>
<li><p>The sender initiates a security context and the recipient accepts it.</p></li>
<li><p>The sender applies security protection to the message (data) it wants to
transmit. This means that it either encrypts the message or stamps it
with an identification tag. The sender transmits the protected message.
(The sender can choose not to apply either security protection, in which
case the message has only the default GSS-API security service
associated with it. That is authentication, in which the recipient knows
that the sender is who it claims to be.)</p></li>
<li><p>The recipient decrypts the message (if needed) and verifies it
(if appropriate).</p></li>
<li><p>(Optional) The recipient returns an identification tag to the sender for
confirmation.</p></li>
<li><p>Both applications destroy the shared security context. If necessary,
they can also deallocate any <em>“leftover”</em> GSS-API data.</p></li>
</ol>
<p>Applications that use the GSS-API should include the file <code class="docutils literal notranslate"><span class="pre">gssapi.h</span></code>.</p>
<dl class="simple">
<dt>Good References:</dt><dd><ul class="simple">
<li><p><a class="reference external" href="https://tools.ietf.org/html/rfc1964">rfc1964</a>.</p></li>
<li><p><a class="reference external" href="https://tools.ietf.org/html/rfc2743">rfc2743</a>.</p></li>
<li><p><a class="reference external" href="https://tools.ietf.org/html/rfc2744">rfc2744</a>.</p></li>
<li><p><a class="reference external" href="https://tools.ietf.org/html/rfc4178">rfc4178</a>.</p></li>
<li><p><a class="reference external" href="https://tools.ietf.org/html/rfc6649">rfc6649</a>.</p></li>
<li><p><a class="reference external" href="https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html">MIT Kerberos Documentation</a>.</p></li>
</ul>
</dd>
</dl>
</div></blockquote>
<div class="line-block">
<div class="line"><br /></div>
</div>
</div>
</div>
<div class="section" id="kerberos">
<h2>** <em>Kerberos 服务器配置</em> **<a class="headerlink" href="#kerberos" title="Permalink to this headline">¶</a></h2>
<p>First and foremost, <code class="docutils literal notranslate"><span class="pre">this</span> <span class="pre">is</span> <span class="pre">not</span> <span class="pre">a</span> <span class="pre">recommendation</span> <span class="pre">for</span> <span class="pre">a</span> <span class="pre">production</span>
<span class="pre">environment</span></code>. We are not covering <code class="docutils literal notranslate"><span class="pre">Master/Slave</span> <span class="pre">replication</span> <span class="pre">cluster</span></code> or
anything production environment related (<em>ntp/chrony, dns, pam/nss, sssd, etc</em>).</p>
<p>Also, on the server side there might be different dependencies and/or
configuration steps needed, depending on which backend database will be used.
<code class="docutils literal notranslate"><span class="pre">LDAP</span> <span class="pre">as</span> <span class="pre">a</span> <span class="pre">backend</span> <span class="pre">database</span></code> is a good example of that.</p>
<p>On the client side there are different steps depending on which client backend
configuration will be used. For example <code class="docutils literal notranslate"><span class="pre">PAM/NSS</span></code> or <code class="docutils literal notranslate"><span class="pre">SSSD</span></code> (along with
LDAP for identity service, [and Kerberos for authentication service]) which is
the best suited option for joining <code class="docutils literal notranslate"><span class="pre">MS</span> <span class="pre">Active</span> <span class="pre">Directory</span> <span class="pre">domains</span></code>, and doing
<code class="docutils literal notranslate"><span class="pre">User</span> <span class="pre">Logon</span> <span class="pre">Management</span></code>.</p>
<p>By no means we intend to cover every possible scenario/combination here. These
steps are for a simple <em>get a (MIT) Kerberos Server up and running</em>.</p>
<p>Please, note that <em>rpm packages might have slightly different names</em>, as well
as the locations for the binaries and/or configuration files, depending on
which Linux distro we are referring to.</p>
<p>Finally, keep in mind that some Linux distros will have their own <code class="docutils literal notranslate"><span class="pre">wizards</span></code>,
which can perform the basic needed configuration:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">SUSE</span><span class="p">:</span>
    <span class="n">Kerberos</span> <span class="n">server</span><span class="p">:</span>
        <span class="n">yast2</span> <span class="n">auth</span><span class="o">-</span><span class="n">server</span>

    <span class="n">Kerberos</span> <span class="n">client</span><span class="p">:</span>
        <span class="n">pam</span><span class="o">/</span><span class="n">nss</span><span class="p">:</span> <span class="n">yast2</span> <span class="n">ldapkrb</span>
        <span class="n">sssd</span><span class="p">:</span> <span class="n">yast2</span> <span class="n">auth</span><span class="o">-</span><span class="n">client</span>
</pre></div>
</div>
<p>However, we are going through the <code class="docutils literal notranslate"><span class="pre">manual</span> <span class="pre">configuration</span></code>.</p>
<p>In order to get a new MIT KDC Server running:</p>
<ol class="arabic">
<li><p>Install the KDC server by:</p>
<blockquote>
<div><ol class="loweralpha">
<li><p>Install the needed packages:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">SUSE</span><span class="p">:</span> <span class="n">zypper</span> <span class="n">install</span> <span class="n">krb5</span> <span class="n">krb5</span><span class="o">-</span><span class="n">server</span> <span class="n">krb5</span><span class="o">-</span><span class="n">client</span>
    <span class="n">Additionally</span><span class="p">:</span>
        <span class="k">for</span> <span class="n">development</span><span class="p">:</span> <span class="n">krb5</span><span class="o">-</span><span class="n">devel</span>
        <span class="k">if</span> <span class="n">using</span> <span class="s1">&#39;sssd&#39;</span><span class="p">:</span> <span class="n">sssd</span><span class="o">-</span><span class="n">krb5</span> <span class="n">sssd</span><span class="o">-</span><span class="n">krb5</span><span class="o">-</span><span class="n">common</span>

<span class="n">REDHAT</span><span class="p">:</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">krb5</span><span class="o">-</span><span class="n">server</span> <span class="n">krb5</span><span class="o">-</span><span class="n">libs</span> <span class="n">krb5</span><span class="o">-</span><span class="n">workstation</span>
    <span class="n">Additionally</span><span class="p">:</span> <span class="s1">&#39;Needs to be checked&#39;</span>
</pre></div>
</div>
</li>
<li><p>Edit the KDC Server configuration file:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kdc</span><span class="o">.</span><span class="n">conf</span>
<span class="p">[</span><span class="n">kdcdefaults</span><span class="p">]</span>
        <span class="n">kdc_ports</span> <span class="o">=</span> <span class="mi">750</span><span class="p">,</span><span class="mi">88</span>
<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
        <span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
            <span class="n">acl_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">acl</span>
            <span class="n">admin_keytab</span> <span class="o">=</span> <span class="n">FILE</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">keytab</span>
            <span class="n">default_principal_flags</span> <span class="o">=</span> <span class="o">+</span><span class="n">postdateable</span> <span class="o">+</span><span class="n">forwardable</span> <span class="o">+</span><span class="n">renewable</span> <span class="o">+</span><span class="n">proxiable</span>
                                                    <span class="o">+</span><span class="n">dup</span><span class="o">-</span><span class="n">skey</span> <span class="o">-</span><span class="n">preauth</span> <span class="o">-</span><span class="n">hwauth</span> <span class="o">+</span><span class="n">service</span>
                                                    <span class="o">+</span><span class="n">tgt</span><span class="o">-</span><span class="n">based</span> <span class="o">+</span><span class="n">allow</span><span class="o">-</span><span class="n">tickets</span> <span class="o">-</span><span class="n">pwchange</span>
                                                    <span class="o">-</span><span class="n">pwservice</span>
            <span class="n">dict_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">dict</span>
            <span class="n">key_stash_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/.</span><span class="n">k5</span><span class="o">.</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
            <span class="n">kdc_ports</span> <span class="o">=</span> <span class="mi">750</span><span class="p">,</span><span class="mi">88</span>
            <span class="n">max_life</span> <span class="o">=</span> <span class="mi">0</span><span class="n">d</span> <span class="mi">10</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
            <span class="n">max_renewable_life</span> <span class="o">=</span> <span class="mi">7</span><span class="n">d</span> <span class="mi">0</span><span class="n">h</span> <span class="mi">0</span><span class="n">m</span> <span class="mi">0</span><span class="n">s</span>
        <span class="p">}</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
<li><p>Edit the Kerberos Client configuration file:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">krb5</span><span class="o">.</span><span class="n">conf</span>
<span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
    <span class="n">dns_canonicalize_hostname</span> <span class="o">=</span> <span class="n">false</span>
    <span class="n">rdns</span> <span class="o">=</span> <span class="n">false</span>
    <span class="n">forwardable</span> <span class="o">=</span> <span class="n">true</span>
    <span class="n">dns_lookup_realm</span> <span class="o">=</span> <span class="n">true</span>     <span class="o">//--&gt;</span> <span class="k">if</span> <span class="n">using</span> <span class="n">DNS</span><span class="o">/</span><span class="n">DNSMasq</span>
    <span class="n">dns_lookup_kdc</span> <span class="o">=</span> <span class="n">true</span>       <span class="o">//--&gt;</span> <span class="k">if</span> <span class="n">using</span> <span class="n">DNS</span><span class="o">/</span><span class="n">DNSMasq</span>
    <span class="n">allow_weak_crypto</span> <span class="o">=</span> <span class="n">false</span>
    <span class="n">default_realm</span> <span class="o">=</span> <span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
    <span class="n">default_ccache_name</span> <span class="o">=</span> <span class="n">KEYRING</span><span class="p">:</span><span class="n">persistent</span><span class="p">:</span><span class="o">%</span><span class="p">{</span><span class="n">uid</span><span class="p">}</span>

<span class="p">[</span><span class="n">realms</span><span class="p">]</span>
    <span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="o">=</span> <span class="p">{</span>
        <span class="n">kdc</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span>
        <span class="n">admin_server</span> <span class="o">=</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span>
        <span class="o">...</span>
    <span class="p">}</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
</ol>
</div></blockquote>
</li>
<li><p>Create the Kerberos database:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">SUSE</span><span class="p">:</span> <span class="n">kdb5_util</span> <span class="n">create</span> <span class="o">-</span><span class="n">s</span>

<span class="n">REDHAT</span><span class="p">:</span> <span class="n">kdb5_util</span> <span class="n">create</span> <span class="o">-</span><span class="n">s</span>
</pre></div>
</div>
</li>
<li><p>Enable and Start both ‘KDC and KDC admin’ servers:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">SUSE</span><span class="p">:</span> <span class="n">systemctl</span> <span class="n">enable</span><span class="o">/</span><span class="n">start</span> <span class="n">krb5kdc</span>
      <span class="n">systemctl</span> <span class="n">enable</span><span class="o">/</span><span class="n">start</span> <span class="n">kadmind</span>

<span class="n">REDHAT</span><span class="p">:</span> <span class="n">systemctl</span> <span class="n">enable</span><span class="o">/</span><span class="n">start</span> <span class="n">krb5kdc</span>
        <span class="n">systemctl</span> <span class="n">enable</span><span class="o">/</span><span class="n">start</span> <span class="n">kadmin</span>
</pre></div>
</div>
</li>
<li><dl>
<dt>Create a Kerberos Administrator</dt><dd><p>Kerberos principals can be created either locally on the KDC server itself
or through the network, using an ‘admin principal’. On the KDC server,
using <code class="docutils literal notranslate"><span class="pre">kadmin.local</span></code>:</p>
<ol class="loweralpha">
<li><p>List the existing principals:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">listprincs</span>
<span class="n">K</span><span class="o">/</span><span class="n">M</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">krbtgt</span><span class="o">/</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">changepw</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">history</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">kadmin</span><span class="o">/</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
</ol>
<p>b. In case we don’t have a built-in ‘admin principal’, we then create one
(whatever <code class="docutils literal notranslate"><span class="pre">principal</span> <span class="pre">name</span></code>, we are using <code class="docutils literal notranslate"><span class="pre">root</span></code>, once by default
<code class="docutils literal notranslate"><span class="pre">kinit</span></code> tries to authenticate using the same system login user name,
unless a <code class="docutils literal notranslate"><span class="pre">principal</span></code> is passed as an argument <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">principal</span></code>):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># kadmin.local -q &quot;addprinc root/admin&quot;</span>
<span class="n">Authenticating</span> <span class="k">as</span> <span class="n">principal</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span> <span class="k">with</span> <span class="n">password</span><span class="o">.</span>
<span class="n">WARNING</span><span class="p">:</span> <span class="n">no</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="n">root</span><span class="o">/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="p">;</span> <span class="n">defaulting</span> <span class="n">to</span> <span class="n">no</span> <span class="n">policy</span>
<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">&quot;root/admin@MYDOMAIN.COM&quot;</span><span class="p">:</span>
</pre></div>
</div>
<ol class="loweralpha" start="3">
<li><p>Confirm the newly created ‘admin principal’ has the needed permissions
in the KDC ACL (if ACLs are changed, <code class="docutils literal notranslate"><span class="pre">kadmind</span></code> needs to be restarted):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">SUSE</span><span class="p">:</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">acl</span>
<span class="n">REDHAT</span><span class="p">:</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">kerberos</span><span class="o">/</span><span class="n">krb5kdc</span><span class="o">/</span><span class="n">kadm5</span><span class="o">.</span><span class="n">acl</span>

<span class="c1">###############################################################################</span>
<span class="c1">#Kerberos_principal      permissions     [target_principal]      [restrictions]</span>
<span class="c1">###############################################################################</span>
<span class="c1">#</span>
<span class="o">*/</span><span class="n">admin</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>     <span class="o">*</span>
</pre></div>
</div>
</li>
<li><p>Create a simple ‘user principal’ (same steps as by <em>The ‘Ceph side’ of
the things</em>; 4a):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="o">.</span><span class="n">local</span><span class="p">:</span>  <span class="n">addprinc</span> <span class="n">johndoe</span>
<span class="n">WARNING</span><span class="p">:</span> <span class="n">no</span> <span class="n">policy</span> <span class="n">specified</span> <span class="k">for</span> <span class="n">johndoe</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="p">;</span> <span class="n">defaulting</span> <span class="n">to</span> <span class="n">no</span> <span class="n">policy</span>
<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">&quot;johndoe@MYDOMAIN.COM&quot;</span><span class="p">:</span>
<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">&quot;johndoe@MYDOMAIN.COM&quot;</span><span class="p">:</span>
<span class="n">Principal</span> <span class="s2">&quot;johndoe@MYDOMAIN.COM&quot;</span> <span class="n">created</span><span class="o">.</span>
</pre></div>
</div>
</li>
<li><p>Confirm the newly created ‘user principal’ is able to authenticate (same
steps as by <em>The ‘Ceph side’ of the things</em>; 6):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># kdestroy -A &amp;&amp; kinit -f johndoe &amp;&amp; klist -f</span>
<span class="n">Password</span> <span class="k">for</span> <span class="n">johndoe</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span>
<span class="n">Ticket</span> <span class="n">cache</span><span class="p">:</span> <span class="n">KEYRING</span><span class="p">:</span><span class="n">persistent</span><span class="p">:</span><span class="mi">0</span><span class="p">:</span><span class="mi">0</span>
<span class="n">Default</span> <span class="n">principal</span><span class="p">:</span> <span class="n">johndoe</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>

<span class="n">Valid</span> <span class="n">starting</span>       <span class="n">Expires</span>              <span class="n">Service</span> <span class="n">principal</span>
<span class="mi">11</span><span class="o">/</span><span class="mi">16</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">13</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="mi">16</span>  <span class="mi">11</span><span class="o">/</span><span class="mi">16</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">23</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="mi">16</span>  <span class="n">krbtgt</span><span class="o">/</span><span class="n">MYDOMAIN</span><span class="o">.</span><span class="n">COM</span><span class="nd">@MYDOMAIN</span><span class="o">.</span><span class="n">COM</span>
        <span class="n">renew</span> <span class="n">until</span> <span class="mi">11</span><span class="o">/</span><span class="mi">17</span><span class="o">/</span><span class="mi">2018</span> <span class="mi">13</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="mi">16</span><span class="p">,</span> <span class="n">Flags</span><span class="p">:</span> <span class="n">FRI</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
</ol>
</dd>
</dl>
</li>
<li><p>At this point, we should have a <em>simple (MIT) Kerberos Server up and running</em>:</p>
<blockquote>
<div><ol class="loweralpha">
<li><p>Considering we will want to work with keytab files, for both ‘user and
service’ principals, refer to The <em>‘Ceph side’ of the things</em> starting
at step 4.</p></li>
<li><p>Make sure you are comfortable with following and their <code class="docutils literal notranslate"><span class="pre">manpages</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">krb5</span><span class="o">.</span><span class="n">conf</span>       <span class="o">-&gt;</span> <span class="n">Krb</span> <span class="n">client</span> <span class="n">config</span> <span class="n">file</span>
<span class="n">kdc</span><span class="o">.</span><span class="n">conf</span>        <span class="o">-&gt;</span> <span class="n">KDC</span> <span class="n">server</span> <span class="n">config</span> <span class="n">file</span>

<span class="n">krb5kdc</span>         <span class="o">-&gt;</span> <span class="n">KDC</span> <span class="n">server</span> <span class="n">daemon</span>
<span class="n">kadmind</span>         <span class="o">-&gt;</span> <span class="n">KDC</span> <span class="n">administration</span> <span class="n">daemon</span>

<span class="n">kadmin</span>          <span class="o">-&gt;</span> <span class="n">Krb</span> <span class="n">administration</span> <span class="n">tool</span>
<span class="n">kdb5_util</span>       <span class="o">-&gt;</span> <span class="n">Krb</span> <span class="n">low</span><span class="o">-</span><span class="n">level</span> <span class="n">database</span> <span class="n">administration</span> <span class="n">tool</span>

<span class="n">kinit</span>           <span class="o">-&gt;</span> <span class="n">Obtain</span> <span class="ow">and</span> <span class="n">cache</span> <span class="n">Kerberos</span> <span class="n">ticket</span><span class="o">-</span><span class="n">granting</span> <span class="n">ticket</span> <span class="n">tool</span>
<span class="n">klist</span>           <span class="o">-&gt;</span> <span class="n">List</span> <span class="n">cached</span> <span class="n">Kerberos</span> <span class="n">tickets</span> <span class="n">tool</span>
<span class="n">kdestroy</span>        <span class="o">-&gt;</span> <span class="n">Destroy</span> <span class="n">Kerberos</span> <span class="n">tickets</span> <span class="n">tool</span>
</pre></div>
</div>
</li>
</ol>
</div></blockquote>
</li>
<li><dl>
<dt>Name Resolution</dt><dd><p>As mentioned earlier, Kerberos <em>relies heavly on name resolution</em>. Most of
the Kerberos issues are usually related to name resolution, since Kerberos
is <em>very picky</em> on both <em>systems names</em> and <em>host lookups</em>.</p>
<ol class="loweralpha">
<li><p>As described in <em>The ‘Ceph side’ of the things</em>; step 2a, DNS RRs
greatly improves service location and host/domain resolution, by using
<code class="docutils literal notranslate"><span class="pre">(srv</span> <span class="pre">resources)</span></code> and <code class="docutils literal notranslate"><span class="pre">(txt</span> <span class="pre">record)</span></code> respectively (as per
<em>Before We Start</em>; <em>DNS resolution</em>).</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">named</span><span class="o">/</span><span class="n">master</span><span class="o">/</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span>
<span class="n">kerberos</span>                <span class="n">IN</span> <span class="n">A</span>        <span class="mf">192.168.10.21</span>
<span class="n">kerberos</span><span class="o">-</span><span class="n">slave</span>          <span class="n">IN</span> <span class="n">A</span>        <span class="mf">192.168.10.22</span>
<span class="n">_kerberos</span>               <span class="n">IN</span> <span class="n">TXT</span>      <span class="s2">&quot;MYDOMAIN.COM&quot;</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">_udp</span>          <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">1</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">_tcp</span>          <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">1</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">_udp</span>          <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">20</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span><span class="o">-</span><span class="n">slave</span>
<span class="n">_kerberos</span><span class="o">-</span><span class="n">master</span><span class="o">.</span><span class="n">_udp</span>   <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">0</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span>
<span class="n">_kerberos</span><span class="o">-</span><span class="n">adm</span><span class="o">.</span><span class="n">_tcp</span>      <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">0</span> <span class="mi">0</span> <span class="mi">749</span> <span class="n">kerberos</span>
<span class="n">_kpasswd</span><span class="o">.</span><span class="n">_udp</span>           <span class="n">IN</span> <span class="n">SRV</span>      <span class="mi">0</span> <span class="mi">0</span> <span class="mi">464</span> <span class="n">kerberos</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
<li><p>For a small network or development environment, where a <em>DNS server is
not available</em>, we have the option to use <code class="docutils literal notranslate"><span class="pre">DNSMasq</span></code>, an
ease-to-configure lightweight DNS server (along with some other
capabilities).</p>
<p>These records can be added to <code class="docutils literal notranslate"><span class="pre">/etc/dnsmasq.conf</span></code> (in addition to the
needed ‘host records’):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">dnsmasq</span><span class="o">.</span><span class="n">conf</span>
<span class="o">...</span>
<span class="n">txt</span><span class="o">-</span><span class="n">record</span><span class="o">=</span><span class="n">_kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="s2">&quot;MYDOMAIN.COM&quot;</span>
<span class="n">srv</span><span class="o">-</span><span class="n">host</span><span class="o">=</span><span class="n">_kerberos</span><span class="o">.</span><span class="n">_udp</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="mi">88</span><span class="p">,</span><span class="mi">1</span>
<span class="n">srv</span><span class="o">-</span><span class="n">host</span><span class="o">=</span><span class="n">_kerberos</span><span class="o">.</span><span class="n">_udp</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="n">kerberos</span><span class="o">-</span><span class="mf">2.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="mi">88</span><span class="p">,</span><span class="mi">20</span>
<span class="n">srv</span><span class="o">-</span><span class="n">host</span><span class="o">=</span><span class="n">_kerberos</span><span class="o">-</span><span class="n">master</span><span class="o">.</span><span class="n">_udp</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="mi">88</span><span class="p">,</span><span class="mi">0</span>
<span class="n">srv</span><span class="o">-</span><span class="n">host</span><span class="o">=</span><span class="n">_kerberos</span><span class="o">-</span><span class="n">adm</span><span class="o">.</span><span class="n">_tcp</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="mi">749</span><span class="p">,</span><span class="mi">0</span>
<span class="n">srv</span><span class="o">-</span><span class="n">host</span><span class="o">=</span><span class="n">_kpasswd</span><span class="o">.</span><span class="n">_udp</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="mi">464</span><span class="p">,</span><span class="mi">0</span>
<span class="n">srv</span><span class="o">-</span><span class="n">host</span><span class="o">=</span><span class="n">_kerberos</span><span class="o">.</span><span class="n">_tcp</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="p">,</span><span class="mi">88</span><span class="p">,</span><span class="mi">1</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
<li><p>After ‘b)’ is all set, and <code class="docutils literal notranslate"><span class="pre">dnsmasq</span></code> service up and running, we can
test it using:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="c1"># nslookup kerberos</span>
<span class="n">Server</span><span class="p">:</span>     <span class="mf">192.168.10.1</span>
<span class="n">Address</span><span class="p">:</span>    <span class="mf">192.168.10.1</span><span class="c1">#53</span>

<span class="n">Name</span><span class="p">:</span>   <span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span>
<span class="n">Address</span><span class="p">:</span> <span class="mf">192.168.10.21</span>

<span class="c1"># host -t SRV _kerberos._tcp.mydomain.com</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">_tcp</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span> <span class="n">has</span> <span class="n">SRV</span> <span class="n">record</span> <span class="mi">1</span> <span class="mi">0</span> <span class="mi">88</span> <span class="n">kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span><span class="o">.</span>

<span class="c1"># host -t SRV {each srv-host record}</span>
<span class="c1"># host -t TXT _kerberos.mydomain.com</span>
<span class="n">_kerberos</span><span class="o">.</span><span class="n">mydomain</span><span class="o">.</span><span class="n">com</span> <span class="n">descriptive</span> <span class="n">text</span> <span class="s2">&quot;MYDOMAIN.COM&quot;</span>
<span class="o">...</span>
</pre></div>
</div>
</li>
</ol>
<ol class="loweralpha simple" start="6">
<li><p>As long as <code class="docutils literal notranslate"><span class="pre">name</span> <span class="pre">resolution</span></code> is working properly, either <code class="docutils literal notranslate"><span class="pre">dnsmasq</span></code>
or <code class="docutils literal notranslate"><span class="pre">named</span></code>, Kerberos should be able to find the needed service
records.</p></li>
</ol>
</dd>
</dl>
</li>
</ol>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../cephfs-mirroring/" class="btn btn-neutral float-right" title="CephFS Mirroring" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../cache-pool/" class="btn btn-neutral float-left" title="Cache pool" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>